OceanBase Migration Service (OMS) Community Edition has an account system. You can configure an SSO integration in OMS Community Edition and log in to the OMS Community Edition console by using SSO. This topic describes how to create an SSO integration.
Prerequisites
You have logged in to the OMS Community Edition console as an ADMIN user.
You have deployed an authorization server.
Limitations
OAuth2 or OIDC integration supports only the authorization code mode.
When you log off from OMS Community Edition by using OAuth2 or OIDC, only the login status of OMS Community Edition is cleared, but the login status of the SSO system is not cleared.
Procedure
Log in to the OMS Community Edition console.
In the left-side navigation pane, choose System Management > SSO Management.
On the SSO Management page, click Create SSO Integration in the upper-right corner.
In the Create SSO Integration dialog box, configure the parameters.
Basic Information
Parameter Description Configuration Name The login name, which must start with an English letter and end with an English letter or a number. It can contain English letters, digits, and underscores (_). The length must be 2 to 32 characters. Type The type of the SSO integration. Valid values: OAuth2 and OIDC. OAuth Information
Parameter Description Client ID The application identifier. Make sure that it is consistent with the configuration in the authorization server. Client Secret The application key. Make sure that it is consistent with the configuration in the authorization server. Auth URL The URL provided by the authorization server for obtaining the grant code. Token URL The URL provided by the authorization server for obtaining the access token. User Info URL (Optional) The URL provided by the authorization server for obtaining the user information. Redirect URL The URL provided by the authorization server for redirecting to the OMS Community Edition service. Notice
If the SSO system has a callback allowlist, you must add the URL to the allowlist.
Scope The authorization scope of the application. You can enter one or more scopes. We recommend that you set the scope to profile.Notice
When you configure SSO by using a third-party application, the Scope parameter is required.
Advanced Options
You can choose whether to enable Advanced Options. If you enable this option, configure the following parameters.
Parameter Description jwkSet URL (Optional) The URL provided by the authorization server for obtaining the public key. Issue URL (Optional) The issue URL of the authentication service. Notice
This parameter is displayed only when you select OIDC as the type.
Client Authentication Method The authentication method used to authenticate the client to the authorization server. Authorization Grant Type The authorization method of OAuth2. User Info Authentication Method The authentication method used to authenticate the access token in the resource request. User Field Mapping
User field mapping is used to identify the identifier of the OMS Community Edition account associated with OAuth2 login. To map the user information of a third-party user to the user fields of an OMS Community Edition user, specify the following parameters.
Parameter Description Data Structure Type of User Information The type of the user information data structure. Username The username field. Email (Optional) The email field.
After the parameters are configured, hover the pointer over the icon on the right of Test Connection and add the URL to the allowlist as prompted. Then, click Test Connection.
After the test is passed, click Save.
What to do next
On the SSO Management page, enable the SSO integration that you created. For more information, see Enable or disable an SSO integration.